Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Sparrowvsrevolution (1926150) writes "At the Fast Software Encryption conference in Singapore earlier this week, University of Illinois at Chicago Professor Dan Bernstein presented a method for breaking TLS and SSL web encryption when it's combined with the popular stream cipher RC4 invented by Ron Rivest in 1987. Bernstein demonstrated that when the same message is encrypted enough times--about a billion--comparing the ciphertext can allow the message to be deciphered. While that sounds impractical, Bernstein argued it can be achieved with a compromised website, a malicious ad or a hijacked router.

It's long been suspected that RC4 had weakness based on biases in how it generates random numbers. But sites have nonetheless been moving back to the scheme in response to news of vulnerabilities in AES and Triple DES exploited by recent cryptographic attacks like BEAST and Lucky 13, both of which showed flaws in SSL and TLS in combination with block ciphers. With the news of RC4's insecurity it now seems that it's likely safer to stick with those more modern ciphers and depend on browser vendors to patch the flaws used by those other attacks."Link to Original Source